Trane U.S. Inc. mitigated an information exposure vulnerability in its Tracer SC field panel, according to a report with ICS-CERT.
Maxim Rupp, the independent researcher that discovered the vulnerability, tested the update to validate it resolves the remotely exploitable vulnerability.
Versions 4.2.1134 and below suffer from the issue.
This vulnerability allows an unauthorized party to obtain sensitive information from the contents of configuration files not protected by the web server.
Trane is a U.S.-based company that maintains offices throughout the U.S. It is a subsidiary of Ingersoll Rand.
The affected product, Tracer SC, is an intelligent field panel for communicating with HVAC equipment controllers. Tracer SC sees action across several sectors including commercial facilities. Trane U.S. Inc. estimates these products see use primarily in the United States and Europe with a small percentage in Asia.
Contents of specific directories on the Tracer SC suffer from exposure with the web server application to unauthenticated users. These directories have sensitive information within the configuration files.
CVE-2016-0870 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Users should contact their local Trane office for information on how to obtain this update. Please reference Trane service database number HUB-120517 when calling the local Trane office.
Users can click here if they need assistance locating their local Trane office.